The Seqrite Labs APT team has uncovered a sophisticated cyber campaign by the Pakistan-linked Transparent Tribe (APT36) targeting Indian Government and Defense personnel.
This operation, centered around the recent Pahalgam terror attack on April 22, 2025, leverages emotionally charged themes to distribute phishing documents and deploy malicious payloads.
Exploiting Geopolitical Tensions for Cyber Espionage
The attackers have crafted deceptive PDFs and domains mimicking official entities like the Jammu & Kashmir Police and the Indian Air Force (IAF), created just days after the attack, to lure victims into credential theft and malware infection.
.png
)
The phishing campaign employs meticulously designed PDFs, such as “Action Points & Response by Govt Regarding Pahalgam Terror Attack.pdf,” created on April 24, 2025, under the alias “Kalu Badshah.”
Crimson RAT and Phishing Infrastructure Unmasked
These documents embed malicious links redirecting users to fake login pages hosted on spoofed domains like hxxps://jkpolice[.]gov[.]in[.]kashmirattack[.]exposed, which imitates the official Jammu & Kashmir Police website.
Upon entering credentials-often targeting @gov.in or @nic.in accounts-the data is siphoned directly to the attackers.
Additionally, a PowerPoint add-on file (PPAM) named “Report & Update Regarding Pahalgam Terror Attack.ppam” contains malicious macros that drop the notorious Crimson RAT.
This remote access trojan, compiled just before the attack on April 21, 2025, is disguised as “WEISTT.jpg” and connects to a command-and-control (C2) server at 93.127.133[.]58.
Crimson RAT supports 22 commands, enabling attackers to capture screenshots, exfiltrate files, and execute malicious code, posing a severe threat to sensitive operations.
The infrastructure behind this campaign reveals a pattern of rapid domain registration post-attack, with phishing domains like iaf[.]nic[.]in[.]ministryofdefenceindia[.]org created as early as April 16, 2025.
These domains, hosted across multiple ASNs such as AS 200019 (Alexhost Srl) and AS 213373 (IP Connect Inc), are consistent with APT36’s long-standing tactics of targeting Indian military and government entities.
The use of geopolitical themes like the Kashmir conflict amplifies the psychological impact, aiming to disrupt operations, steal intelligence, and potentially spread disinformation.
If successful, such attacks could compromise national security by exposing sensitive data or enabling deeper network infiltration.
According to the Report, Seqrite Labs recommends robust countermeasures, including advanced email and document screening, disabling macros by default, and integrating geopolitical threat intelligence to preempt such targeted campaigns.
User awareness training and behavioral analytics to detect anomalies are also critical to mitigate risks.
This campaign underscores the intersection of cybersecurity and geopolitics, highlighting how nation-state actors exploit real-world events for digital warfare.
Indicators of Compromise (IOCs)
| Category | Indicator |
|---|---|
| Phishing Documents | c4fb60217e3d43eac92074c45228506a, 172fff2634545cf59d59c179d139e0aa (examples) |
| Phishing Domains | jkpolice[.]gov[.]in[.]kashmirattack[.]exposed, iaf[.]nic[.]in[.]ministryofdefenceindia[.]org |
| Phishing URLs | hxxps://jkpolice[.]gov[.]in[.]kashmirattack[.]exposed/service/home/ (example) |
| PPAM/XLAM | d946e3e94fec670f9e47aca186ecaabe (example) |
| Crimson RAT | 026e8e7acb2f2a156f8afff64fd54066 (example), IP: 93.127.133.58 (Ports: 1097, etc.) |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
.){kind=link}